A medical record in paper or electronic format provides a written account of a patient's medical history, containing information about diagnosis, treatment, chronological progress notes and discharge recommendations. A whole raft of legislation, standards and guidance on what has become known as 'Information Governance' has been produced in the last few years to cover issues of access, confidentiality and disclosure. The Health and Social Care Act 2008 established the National Information Governance Board for Health and Social Care (NIGB) as the body with statutory duty to oversee information governance. One of its functions is to allow the common law duty of confidentiality to be set aside in specific circumstances.
- Add notes to any clinical page and create a reflective diary
- Automatically track and log every page you have viewed
- Print and export a summary to use in your appraisal
The following are the main pieces of legislation covering the creation, storage and sharing of health information
- Common law duty of confidence - confidential patient information may only be disclosed:
- with a patient's consent, or
- where it is required or permitted by law (statutory instrument or Court Order), or
- where the public good achieved by disclosure outweighs the individual's right to confidentiality
- Computer Misuse Act 1990 - identifies a range of offences relating to unauthorised access to, or unauthorised modification of, computer records. This act may apply where an unauthorised third party accesses information being transferred. Enforcement is difficult, prosecutions uncommon but may be relevant where systems are used other than by authorised staff for approved purposes.
- Access to Health Records Act 1990 - provides qualified right of access of a deceased individual where the person seeking access has an interest in the estate of the deceased. Only applies to records created after 1st November 1991.
- The Data Protection Act 1998 - eight principles which define the conditions under which processing (including recording, storage, manipulation and transmission) of personal data can be determined to be legally acceptable. There is a special section in the Act addressing the sensitive nature of health information and the needs of health professionals to communicate that information between themselves. The Act gives patients rights of access to their medical records and applies to electronic and paper-based record systems. The Act requires that patients be made aware of who will see their personal data and for what purpose. It does not prevent clinical data from being shared for NHS purposes but may require other uses to obtain explicit consent from patients (eg to investigate fraud). The eight principles state that information should be:
- fairly and lawfully processed
- processed for limited purposes
- adequate, relevant and not excessive
- not kept for longer than is necessary
- processed in line with subjects' rights
- not transferred to countries without adequate protection
- Freedom of Information Act 2000 - gives a general right of public access to all types of recorded information held by public authorities (including GP practices), sets out exemptions from that general right and places a number of obligations on public authorities. A response to a request for information must be made within 20 working days. From a GP's perspective, this Act is intended to cover general information held by the practice, not personal health information which is covered by other legislation (eg the Data Protection Act). It is important to get this right. If in doubt, contact your defence organisation. The Information Commissioner's Office can also be very helpful (see website link below).
- The Health and Social Care Act 2001 (and subsequent amendments in 2006 and 2008) - conveys powers to the Secretary of State for Health (in England and Wales) to make regulations to enable, or require the release of, patient information where disclosures would otherwise be restricted by the common law. This is a wide-ranging act but, concerning information, it mainly relates to processing patient information for the diagnosis and treatment of cancer, the recognition, control and prevention of communicable diseases or other risks to public health.
- Electronic Communications Act 2000 - allows for the creation and transmission of prescriptions by electronic means in cases where specified conditions are met.
- Human Rights Act 1998 - based on the European Convention of Human Rights. Of the 15 articles, the most relevant for GPs is Article 8 which provides a right to respect for privacy that can only be set aside in accordance with the law when considered necessary in a democratic state. The Government advises that this right be respected fully where there is compliance with the Data Protection Act 1998 and the Common Law duty of confidence.
- The General Medical Services (GMS), Personal Medical Services (PMS) and Alternative Provider Medical Services (APMS) Regulations and Directions 2004 - include provisions relating to patient records, the confidentiality of personal data, rights of access to and the provision of patient and practice information held by contractors. The Regulations provide Primary Care Organisations (PCOs) with the power to require patient, and other, information to be provided by practices where this is necessary in order for them to discharge their responsibilities. These Regulations override common law confidentiality but for GMS contracts the use of these powers must be governed by a Code of Practice. PCOs will be expected to follow the same code for PMS practices. The Code aims to ensure that the powers are invoked only where strictly necessary and that anonymised data are used wherever practicable. Useful guidance on the sharing of information with PCTs has been produced by the BMA.
- Mental Capacity Act 2005 - this was enacted in 2007. It is relevant in situations where a patient who lacks mental health capacity has not appointed a representative with lasting power of attorney. In such circumstances, a senior health professional has the power to act in the patient's best interests and this may include the sharing of information.
- The Access to Medical Reports Act 1988 - this allows patients to see medical reports about them, for employment or insurance purposes, written by the doctor with whom they normally have a patient/doctor relationship. They may see the report before it is supplied or for up to six months afterwards. Access to the report may be denied in two circumstances - if the reporting doctor feels that it contains information which may cause serious mental or physical harm to the patient, or if it contains information from a third party who has not given consent to disclosure. If they disagree with any part of the report they may withdraw consent for it to be supplied, ask for agreed inaccuracies to be altered, or require that a note be added outlining the differences between their view and that of the reporting doctor.
- The Terrorism Act 2000 - Section 19 of this Act places a statutory obligation on health professionals to disclose relevant personal health information where they believe an offence under the Act has been committed. Furthermore, if information is disclosed to the Serious Organised Crime Agency under this guidance, disclosure is exempt from any obligations of confidentiality under Section 34 of the Serious Organised Crime and Police Act 2005.
The facility to record clinical information exclusively on computer became lawful in October 2000. This raised new areas of clinical risk. See also separate articles and Paperless Medical Enterprises? and Clinical Negligence and the Electronic Patient Record.
Information security standards
The world of information security is a complex and fast-changing one and most standards apply to the NHS as a whole, or to individual computer suppliers. However, GPs may need to familiarise themselves with the terminology, particularly as practice-based commissioning develops. The main standards are:
- ISO/IEC 27002 provides guidance on best practices in information security management to ensure compliance with the current information security regulations.
- IEC 61508 sets out the requirements for ensuring that systems are designed, implemented, operated and maintained to provide the required safety integrity level. It sets out basic technical safety requirements with which computer suppliers are expected to comply.
- Informed consent - the gold standard for the disclosure of information is informed consent, unless there are clear legal reasons why this should be overridden (such as the Mental Capacity Act). The policy endorsed by all relevant bodies is that where information sharing is part of the care process and patients are made aware of the option to refuse disclosure, consent may be implied. In all other cases, specific and expressed consent must be sought. Care must be taken not to disclose information about third parties and an electronic record must be kept about any disclosure. Where patients lack capacity and also in children, guidance should be sought before disclosure (eg from the PCT, medical defence organisation, BMA or publications below).
- Anonymisation and pseudoanonymisation - data are not confidential if the individual cannot be identified directly or through linkage with other data. Ethical and policy restrictions still exist, eg research guidelines. There are two categories of anonymisation:
- anonymised (unlinked) - stripped of any elements that would allow identification of individuals
- pseudo-anonymised (linked) - individual records could be identified by authorised personnel
- Data ownership - the move towards an integrated health record (see below) renders irrelevant the long-mooted discussion about who 'owns' a patient's health record. As one of several 'data controllers', GPs will have to decide whether requests to access information about their patients ('data subjects') is valid and safe and whether consent is required. Issues surrounding confidentiality of integrated records are covered by the NHS Care Record Guarantee.
- Research - no data should be disclosed without the approval of the relevant patients, clinicians and research ethical committee(s). Extraction of patient-identifiable data, other than for routine care, should only occur, with the knowledge and informed consent of the guardian of the record (eg the GP), following approval from a Research Ethics Committee and responsible PCO and should either be with the informed consent of the patient, or be approved by the Secretary of State. See The Good Practice Guidelines for General Practice Electronic Patient Records for further information.
The growing availability of scanners has led an increasing number of practices to consider 'going paperless'. In reality, many practices still use a modicum of manual data recording systems. For medicolegal purposes, practices that wish to become exclusively paperless need to obtain accreditation from their PCO. PCOs and Local Medical Committees (LMCs) have been given the task of developing local accreditation procedures but most base their criteria on the Good Practice Guidelines for Electronic Records endorsed by the Department of Health, the GPC and the Royal College of General Practitioners.
These guidelines suggest that for practices applying for accreditation:
- It should be possible to download demographic information into the clinical system.
- Data should be recorded in a manner that is complete, accurate, relevant, accessible and timely.
- All clinicians should participate in data recording and enter their own data directly into the clinical system, including that from home visits.
- The practice should consider what data are not recorded at all (or not consistently) on computer by some, or all, clinicians.
- Data from other primary healthcare team (PHCT) members, such as community and practice nurses, locums and registrars should be captured.
- Data from new patients should be captured on the system.
- Protocols of care and/or diagnostic criteria (where available) should be used consistently and made acceptable to the practice as a whole.
- The individuals who will design, develop and implement templates or protocols should be identified.
- Data from external providers (eg hospital discharge letters, pathology and radiology results) should be captured.
- A protocol for managing system failure should be established.
- Data quality should be monitored.
- Training for general practitioners and other practice staff involved in data capture should be considered.
- A practice IT lead should be identified.
- A baseline assessment should be carried out to enable the practice to understand what changes need to be made.
Entering information via Read coding rather than free text has revolutionised the ability of practices to search and audit their data. Whilst adequate for primary care, the Read code system does have its limitations in the wider environment of the integrated care record and SNOMED CT (Systemised Nomenclature of Medicine) has been selected as the standard terminology scheme for the National Programme for Information Technology (NPfIT, see below) The rights to the production, distribution and development of SNOMED were acquired by the International Health Terminology Standards Development Organisation (IHTSDO) in April 2007. NHS Connecting for Health (NHS CFH) will act as the host organisation of the IHTSDO and the centre responsible for UK activities is known as the UK Terminology Centre (UKTC).
The National Programme for Information Technology
The Government's vision is to establish, through its agency Connecting for Health, an NHS information technology system which will be able to communicate within itself (eg transfer of information between GPs, the hospital sector and community services), with external agencies such as social services, and with health services globally. Accountability for delivery of this project was passed to strategic health authorities in April 2007.
A system of funding for GP computers has been instituted, called the GP Systems of Choice (GPSoC) programme. This encourages system suppliers to develop software which is compatible with the local service provider (LSP) care record. The means of ensuring this compliance is called the Common Assurance Process (CAP). Practices are to be able to choose between systems provided by their LSP or by suppliers that are contracted to offer systems on the GPSoC Framework.. To date, more than 6,000 practices have received services under these arrangements.
To deliver the objectives, several components need to be in place, the most significant of which are:
- N3 - the National Network, which replaces the private NHS communications network, NHS net. A migration programme began in 2005 and was completed in March 2007.
- GP2GP - a project to enable the transfer of the electronic component of a GP patient health record to a new practice when a patient registers with a new practice for primary healthcare. Approximately 500,000 records have been transferred to date and 5,000 practices are now using the system. Practices using EMIS LV and INPS Vision 3 systems are currently able to access the systems and more will be able to do so when their suppliers come on board.
- NHS Care Records Service - aims to develop individual electronic records for every patient in England, securely accessible by the patient and selectively available to those providing care. This is an ongoing piece of work which involves input from a wide range of clinicians. An Early Adopter Programme, using summary care records, started in April 2007. The intention is to roll the project out nationally over the next few years but the pace of development is likely to be slowed due to prevailing financial circumstances.
- Choose and Book - allows GPs and other members of the PHCT to make initial hospital or clinic outpatient appointments. If preferred, patients can make their appointment later - after consulting with family carers or colleagues - either online or through a telephone booking service. The Choose and Book website states that all NHS hospitals are now using Choose and Book, along with the majority of all GP practices in England. Despite initial reservations, more than 19 million bookings have been made to date and Choose and Book activity now accounts for around 50% of all NHS referral activity from GP surgery to first outpatient appointment.
- Electronic Prescription Service - enables electronic transfer of prescriptions from primary care prescribers to dispensers in England. Release 2 is currently being rolled out to some PCOs. This enables paperless transfer of prescription information from GP practice to pharmacist and covers all necessary drugs. Over 200 million prescription messages have been transmitted electronically since the inception of the scheme.
- The NHS Spine - the national database of key information about a patient's health and care, forms the core of the NHS Care Records Service. Detailed information will be held at local level but minimum data set to be held at national level will include NHS number, date of birth, name and address, allergies, adverse drug reactions, and major treatments (the Care Record Summary). This project has also had its fair share of criticism, focusing particularly on concerns about the confidentiality of the information held.
Further reading & references
- The Good Practice Guidelines for GP electronic patient records v4, Department of Health/Royal College of General Practitioners/British Medical Association (2011)
- The Information Commissioner's Office; The Information Commissioner's Office (ICO), 2010
- Patient confidentiality and Access to Health Records, Dept. of Health; Confidentiality website
- National Information Governance Board for Health and Social Care; 2009.
- Confidentiality NHS Code of Practice, Dept of Health, November 2003
- Computer Misuse Act; 1990
- Access to Health Records Act; 1990
- Data Protection Act; 1998
- The Freedom of Information Act; 2000
- Health and Social Care Act; 2001
- Electronic Communications Act; 2000
- Human Rights Act; 1998
- Confidentiality and Disclosure of Information: General Medical Services (GMS), Personal Medical Services (PMS), and Alternative Provider Medical Services (APMS) Code of Practice, Dept of Health, 2005
- BMA; Confidentiality and disclosure of information to PCTs in primary care settings 2007; Needs BMA membership
- Mental Capacity Act; 2005
- The Access to Medical Reports Act 1988, Dept of Health
- Terrorism Act 2000; Office of Public Sector Information
- ISO/IEC 27002; International Electrotechnical Commission 2007
- IEC 61508; International Electrotechnical Commission 2007
- The Care Record Guarantee, National Information Governance Board (NIGB) 2009
- International Health Terminology Standards Development Organisation; ihdtso.org 2009
- Snowmed Clinical Terms; NHS Connecting for Health 2009.
- National Programme for IT; Connecting for Health 2009
- Choice of System; Connecting for Health Nov 2007
- N3; Connecting for Health 2009
- GP2GP; Connecting for Health 2007
- NHS Care Records Service; 2007
- NHS IT programme; Hansard 07 12 2009.
- Survey shows waning support for NPfIT; eHealth Insider Nov 2007
- Deployment statistics; NHS Connecting for Health, 2009.
- Electronic Prescription Service; Introducing Release 2 Nov 2007
- NHS Confidentiality Campaign; November 2007
|Original Author: Dr Laurence Knott||Current Version: Dr Laurence Knott||Peer Reviewer: Prof Cathy Jackson|
|Last Checked: 14/03/2012||Document ID: 2702 Version: 24||© EMIS|
Disclaimer: This article is for information only and should not be used for the diagnosis or treatment of medical conditions. EMIS has used all reasonable care in compiling the information but make no warranty as to its accuracy. Consult a doctor or other health care professional for diagnosis and treatment of medical conditions. For details see our conditions.